chore(scanning): update workflows

StatCan · Jul 28, 2023 · 55ee657 · 55ee657
1 parent 01224b1
commit 55ee657
Showing 1 changed file with 26 additions and 9 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -19,9 +19,15 @@ on:
 # Environment variables available to all jobs and steps in this workflow
 env:
   REGISTRY_NAME: k8scc01covidacr
+  TRIVY_VERSION: "v0.43.1"
 jobs:
   build:
     runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     steps:
     - uses: actions/checkout@master
 
@@ -32,13 +38,24 @@ jobs:
         username: ${{ secrets.REGISTRY_USERNAME }}
         password: ${{ secrets.REGISTRY_PASSWORD }}
 
-    # Container build and push to a Azure Container registry (ACR)
-    - run: |
-        docker build -f Dockerfile -t ${{ env.REGISTRY_NAME }}.azurecr.io/s3proxy:${{ github.sha }} .
-        docker push ${{ env.REGISTRY_NAME }}.azurecr.io/s3proxy:${{ github.sha }}
+    # Container build
+    - name: Build image
+      run: |
+        docker build -f Dockerfile -t localhost:5000/s3proxy:${{ github.sha }} .
+        docker push localhost:5000/s3proxy:${{ github.sha }}
+        docker rmi localhost:5000/s3proxy:${{ github.sha }}
+        docker image prune
+
     # Scan image for vulnerabilities
-    - uses: Azure/container-scan@v0
-      with:
-        image-name: ${{ env.REGISTRY_NAME }}.azurecr.io/s3proxy:${{ github.sha }}
-        severity-threshold: CRITICAL
-        run-quality-checks: false
+    - name: Aqua Security Trivy image scan
+      run: |
+        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}
+        trivy image localhost:5000/s3proxy:${{ github.sha }} --exit-code 1 --timeout=20m --security-checks vuln --severity CRITICAL
+
+
+    # Push if passed scanning
+    - name: Push image to registry
+      run: |
+        docker pull localhost:5000/profiles-controller:${{ github.sha }}
+        docker tag localhost:5000/profiles-controller:${{ github.sha }} ${{ env.REGISTRY_NAME }}.azurecr.io/s3proxy:${{ github.sha }}
+        docker push ${{ env.REGISTRY_NAME }}.azurecr.io/s3proxy:${{ github.sha }}